Versions Compared

Old Version 77

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Known Issues

None at this time.

3.4.1.5 (April 29, 2024)

A new version of the Windows installer was released to address an installer issue with localized versions of Windows. The software itself is unchanged.

3.4.1.4 (October 11, 2023)

A new version of the Windows installer was released updating libcurl to 8.4.0 to address a security issue and to ensure that a more modern curl version has been shipped in case of future vulnerabilities. Other than rebuilding dependent libraries to accomodate a DLL name change, no other changes were made.

3.4.1.3 (June 12, 2023)

A new version of the Windows installer was released updating xmltooling to 3.2.4 to address a security issue. OpenSSL was also updated to 3.0.9 and a bug preventing optimized reloading of metadata via HTTP/2 was also fixed.

3.4.1.2 (March 13, 2023)

A new version of the Windows installer was released updating zlib to 1.2.13 to address a security issue. The version of libcurl was also updated to 7.88.1 in the process.

The installer was also patched to avoid overwriting file system ACLs on upgrades.

3.4.1.1 (February 8, 2023)

A new version of the Windows installer was released updating OpenSSL to 3.0.8 to address multiple security issues. The version of libcurl was also updated to 7.87.0 since it had to be rebuilt anyway.

As a general piece of advice, OpenSSL continues to be endemically impacted by bugs around their support of the hopelessly convoluted PKIX specification, and SPs should be configured whereever possible to bar the use of this code by turning off the PKIX TrustEngine. Because the V3 SP defaults to including support for PKIX by default when no <TrustEngine> element is present in the configuration, it is a good idea to explicitly configure a single engine by adding this line somewhere inside the <ApplicationDefaults> element (if no other such element is present):

Code Block
<TrustEngine type="ExplicitKey" />

Note that enabling PKIX support does not inherently even allow for evaluation of certificates anyway. Using that feature requires extensions to SAML metadata to carry trust anchors that are very likely not present in any metadata seen in the wild.

3.4.1 (January 10, 2023)

Jira Legacy
serverSystem JIRA
jqlQueryfilter=10059
counttrue
serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506

This is a small patch to address a few bugs, in particular:

  • Reinforcing the xmltooling library (V3.2.3, included in this Windows release) to block an unnecessary XML Encryption construct, related to the advisory issued for the IdP recently. The SP is not believed to be vulnerable, but this is a defensive measure.

  • Adjusting the default ACL on Windows when the SP is installed outside of “Program Files” to prevent open write access to the folders. Note that with the huge variety of IIS security configurations, you may need to further adjust ACLs if unexpected user accounts are being used by IIS, so test before use. We will revert this change if people encounter problems, and you MUST take responsibility yourself for any ACL rules on your own servers; do not rely on us to get this right for you.

  • A warning has been added to the log when systems do not configure an explicit value for the redirectLimit setting. The default for this setting remains liberal for compatibility, so the warning was requested to highlight that fact.

3.4.0 (November 3, 2022)

Jira Legacy
serverSystem JIRA
jqlQueryfilter=10056
counttrue
serverIdf52c7d31-6eab-3f0e-93c3-231b5754d506

...